IIS+and+Kerberos.docx
《IIS+and+Kerberos.docx》由会员分享,可在线阅读,更多相关《IIS+and+Kerberos.docx(21页珍藏版)》请在冰豆网上搜索。
IIS+and+Kerberos
IISandKerberosPart6-NewinIIS7
Note:
previousarticles
WindowsServer2008andIIS7.0introducesomechangestothewaythatyouneedtoimplementKerberossupport.ThethreemajorchangesthatI'mawareofare:
1.ServicePrincipalNames(SPNs)nolongerneedtoberegisteredundertheaccountthatthewebapplicationpoolisrunningunder.Instead,inadefaultconfigurationyoucanrunthewebapplicationpoolunderanyaccount(customuseraccount,orLocalSystem,LocalServiceorNetworkService)andregistertheSPNunderthemachineaccountinActiveDirectory.Seethispostformoredetails.
2.YourwebapplicationpooldoesnotneedLocalSystemprivilegestobeabletoperformprotocoltransition.YoucandothisusingNetworkService.
3.Ifyouwanttouse inweb.config foryourASP.NETpages,youneedtodisablevalidateIntegratedModeConfigurationifyouareusingtheIntegratedModePipeline.Otherwiseyou'llgeta500.24error. YoucaneithersetvalidateIntegratedModeConfigurationtoFalseoryoucanruninClassicModePipeline
NewinIIS7-KernelModeAuthentication
WindowsServer2003SP1introduceskernelmodeSSL.WindowsServer2008takesthisonestepfurtherandintroduceskernelmodeauthentication.ThiscanbeutilisedbyIIS7.0applicationstoimproveperformance.ItalsohasimplicationsforKerberosauthenticationandmanagementofSPNs.
Considerthefollowingscenario:
EnsuringKerberosAuthNforApp1wouldn’tbepossibleinIIS6/5(earlierversionswerepre-Windows2000sodidn’tsupportKerberos).ThiswasbecauseSPNsarebasedonaFQDNandtheSPNforhttp/couldonlyberegisteredunderasingleaccount(andnotunderthetwodifferentaccountsthatAppPool1andAppPool2areusing).
InWindowsServer2008thereissupportforanewkernelmodeauthentication.Iamsupposingthatthisisimplementedinksecdd.sys,butitmaybeimplementedelsewhere.Whenusingkernelmodeauthentication,theserviceticketisdecryptedbytheserver(akamachineaccount),notbytheuseraccountthatthewebapppoolisrunningunder.
Becauseofthis,it’spossibleto:
∙RegistereverySPNforeachapplicationhostedwebserverunderthemachineaccountinActiveDirectory,regardlessoftheidentityofthewebapppoolthattheapplicationisbeinghostedin
∙RunmultiplewebapplicationshostedatthesameFQDNunderwebapppoolsthatare,inturn,runningundermultipleWindowsidentities.
Edit:
AnilfromtheIISProduct Grouppointedoutanerrorinmyadvicebelow(it'snotnecessarytoactuallydisableKernelModeAuthentication). Ihaveupdatedthesectionbelow:
Thereisacaveat.Thisisbecausetheserviceticketdecryptiontakesplaceusingtheserver’sADmachineaccount.Ifyouareusingawebfarm,thentheKDCdoesn’tknowinadvancewhichindividualserverwillbeservicingtherequest.Inthatcase,it'simpossibletodeterministicallyregistertheSPNunderasinglemachineaccount.Instead,youwillneedto:
∙DisablekernelmodeauthenticationConfigureIIStousethewebapplicationpool'sidentityforKerberosserviceticketdecryption
∙Runthewebapppoolunderacommondomainuseraccount
∙BerestrictedtorunningallwebapplicationaccessibleatthatFQDNunderwebapppoolsthatareusingthesamedomainuseraccountabove
Ifyouareinthissituation,thenyoucandisablekernelmodeauthenticationenabletheuseofthewebapppool'sidentityforKerberosserviceticketdecryptionbysettingthepropertyuseAppPoolCredentialstotrueforthewebapplicationorwebsiteinquestion.Anexamplewouldbe:
IISandKerberos.Part1-WhatisKerberosandhowdoesitwork?
Edit:
I'vecreatedalistofallthepartsinthisserieshere,whichwillbeupdatedasIaddmoreparts.
ConfiguringKerberosandDelegationisoneofthemorecommonproblemsIseeinthecommunitiesandevenwithinAvanade.SinceKerberosisn'tasimpletopic,I'mgoingtowriteaquickseriesexplaininghowKerberosworks,commonscenariosandproblemsandsometroubleshootingtips.
KerberosisanopenauthenticationprotocoldevelopedatMIT,andimplementedinWindows2000/2003ActiveDirectorydomains(amongstotherplaces).Authenticationistheprocessofprovingyouridentitytoaremotesystem.Youridentityiswhoyouare,andauthenticationistheprocessofprovingthat.Inmanysystemsyouridentityisyourusername,andyouuseasecretsharedbetweenyouandtheremotesystem(apassword)toprovethatyouridentity.
Theproblemwithsimplisticsharedsecretsystemsistwo-fold:
a)thereisascalabilityproblem.Ifeveryuserneedstomaintainasharedsecretwitheveryindividualserver(oreveryserviceoneveryserver!
)thenthatresultsinpoorpasswords.Userscannotbeexpectedtorememberdozens,hundredsorthousandsofuniquepasswordsandsoenduprepeatingthemregardlessofwhethertheserverisalowsecurityorhighsecurityresource
b)thereisanissueinsecurelytransmittingthesharedsecretfromtheusertotheserver.Varioustechnologies(likeTLS/SSL)existforsecuringthetransportofdatabetweenmachines,howeveritisincumbentuponeachservicetoutiliseserviceslowerdowninthenetworkstack.
Kerberosisdesignedtoovercometheselimitations.InthispartwelookathowasimpleKerberosimplementationworks.Inthisscenariowehaveauserusingaclientmachinethatwishestoconnecttoaremoteservice(theuserhereisapersonorapplication,theclientistheOSormachine).Rememberthatwewantasystemthatallowsustostoresharedsecretscentrally,andtosecurelytransmitusercredentialsbetweenclientandservice.Lastlyweshouldlooktopreventreplayattacks(wheresomeonewhoissniffingthewirecanreplaycapturedpacketstoimpersonatealegitimateuser,eveniftheydonotknowhowtocreatetheauthenticationpacketsthemselves).
TobeginwithweintroducetheKerberosKDC-KeyDistributionCentre.IntheWindowsActiveDirectoryworld,theKDClivesonDomainControllers(DCs).TheclientconnectstotheAuthorisationService(AS)thatrunsontheKDCandaskstheAStoauthenticatetheusertotheremoteservice.Technically,theclientdoesn'tneedtoauthenticateitselftotheDomainController.HoweverintheActiveDirectoryworld,somethingcalledpre-authenticationisusedtoensurethattheuser(orclientapplication)isactuallywhotheysaytheyare.
TheASontheKDCgeneratesasessionkeythatwillbeusedbytheclientandtheremoteservice.Itencryptsthesessionkeywiththeuser'spassword(thisiswhytheuserdoesn'tneedtoauthenticate-iftheuserisn'twhotheysaytheyare,theywon'tbeabletodecryptthesessionkeybecausetheydon'tknowtheuser'spassword).TheKDCalsopreparesasecondpieceofdata-itagainencryptsthesessionkeyaswellastheuser'susername(knownasaKerberosprincipal),butusingtheservice'spasswordthistimetoencryptthedata.Onlytheremoteservicewillbeabletodecryptthissecondpieceofdata.ThissecondpieceofdataisknownastheServiceTicket(orjustTicket).
TheKDCnowsendsbothpiecesofdatabacktotheclient.Theuser,knowingtheirownpassword,isabletodecryptthefirstpieceofdata,andextractthesessionkey.Theuserhoweverdoesnotknowtheservice'spassword,soisunabletodecryptthesecondpieceofdata.Theclientusesthesessionkeytoencryptthecurrenttime(amongstotherthings,buttheyaren'tsoimportantrightnow).ThispieceofdataisknownastheAuthenticator.TheclientsendstheAuthenticatoritjustgenerated,alongwiththeServiceTicketreceivedfromtheKDCtotheremoteservice.
TheremoteserviceisabletodecrypttheServiceTicketusingitsownpassword.Itisthusabletogetaccesstothesessionkey,andthePrincipal(user)attemptingtoconnect.ItnowusesthesessionkeytodecrypttheAuthenticator,andextractthetime.Itcomparesthetimetothecurrentsystemtimeontheservertoensureamatch.Sinceonlytheservice,theKDCandtheuser,knowthesessionkeythentheservicecanassumethatusermustbewhotheysaytheyare.
IfanimpostersentaServiceTickettotheservice(e.g.byreplayingcapturedpackets)theywouldn'tknowthecorrectsessionkeynecessarytoencryptthetimestampcorrectly.Alternatively,iftheimposterattemptstousecapturedAuthenticatorpackets(whichcontainatimestamp),thusbypassingtheneedtoknowthesessionkey,thenthetimeswillnotmatchwhentheAuthenticatorisdecryptedbytheserviceandtheservicewillrefusetoauthenticatetheremoteuser.
IfthiswastheextentoftheKerberos,theneachandeverytimetheclientreceivedanencryptedsessionkeyfromtheKDC,theuserwouldneedtoentertheirpasswordtoallowtheclientmachineaccesstoit.Thatcouldrapidlybecomeaproductivitysinkhole(imaginehavingtoenteryourpasswordforeachandeveryHTTPrequestyoumade!
).Togetaroundthis,theclientmachinecouldcachetheuser'spassword,butthatisn'taparticularysecuresystem.WhatKerberosdoesisintroducetheconceptofaTicketGrantingTicket(TGT).
TicketGrantingTicketsareissuedbytheASrunningontheKDCinthesamewaythatanormalserviceticketisissued.HowevertheTGTisvalidfortheTicketGrantingService,ratherthanaremoteHTTPserver(oranyothertypeofserver).Whenevertheuserwishestoconnecttoaremoteservice,itcanusetheTGTthatithasalreadyreceivedtoconnecttotheTGS.TheTGS,afterauthenticatingtheuserviatheTGT,issues